Cisco shuts down some infrequently used services
One, Cisco Discovery Protocol
CDP is a Cisco private protocol that runs on the second tier of all Cisco products and is used to share basic device information with other directly connected Cisco devices. Independent of media and protocols.
The likelihood that hackers will use CDP information to re-survey attacks is relatively small. The CDP multicast frames must be viewed in the same broadcast domain. Therefore, it is recommended that you close the CDP on the border router, or at least close the CDP on the interface that is connected to the public network. Www.2cto.com
is enabled by default. Close CDP globally, use the No CDP Run command, and after shutdown, you should use show CDP to verify that the CDP has been closed.
Second, TCP and UDP low-end port services
The TCP and UDP low-side port service is a service that runs on ports 19 and at a lower port on the device. All of these services are obsolete: such as date and time (daytime, port 13), test connectivity (Echo, Port 7), and generate strings (Chargen, Port 19).
An open connection is shown below, and the Chargen service is opened on the connected router: router#telnet 192.168.1.254 chargen
To turn off these services on the router, use the following configuration: Router (config) #no service tcp-small-serversrouter (config) #no service udp-small-servers
After you have closed these services, test them using the following methods, such as: Router (config) #telnet 192.168.1.254 daytime
Third, Finger
The Finger Protocol (port 79) allows users on the network to obtain a list of users who are currently using a particular route selection device, including the processes running in the system, link numbers, connection names, idle times, and end locations. Provided by the show user command. Www.2cto.com
Finger is a UNIX program that detects who logs on to a host without having to personally log on to the device to view it.
The following shows an example of verifying that the finger service was opened and how it was closed: router#telnet 192.168.1.254 finger
(Connect 192.168.1.254 finger) Router (config) #no ip fingerrouter (config) #no service finger
When performing a finger operation on the router, the router responds with the output of the show Users command. To block the response, use the no IP finger command to turn off the finger service. In older versions, use the No service finger command. In the newer version, two commands are available.
Iv. IdentD
IP authentication supports queries on the identity of a TCP port. Ability to report the identity of a client initiating a TCP connection and the host to which the connection should be connected.
IDENTD allows a remote device to query a TCP port for identification purposes. is an insecure protocol designed to help identify a device that you want to connect to. A device sends a request to the Ident port (TCP 113), and the destination device uses its identity information as a response, such as host and device name.
If IP authentication is supported, an attacker can connect to a TCP port on the host, publish a simple string to request information, and get a simple string response returned.
To turn off the Identd service, use the following command: Router (config) #no IP identd
Can be tested by Telnet to port 113 of the device
Five, IP source routing
Should be turned off on all routers, including the border router. You can use the following command: Router (config) #no IP source-route Disables the forwarding of IP packets with the source routing option.
Vi. FTP and TFTP
Routers can be used as FTP servers and TFTP servers, and images can be copied from one router to another. It is not recommended to use this feature because both FTP and TFTP are unsafe protocols.
By default, the FTP server is turned off on the router, however, for security reasons, it is still recommended to execute the following command on the router: Router (config) #no Ftp-server write-enable (beginning with 12.3) Router (config) # No ftp-server Enable
You can try to establish a connection to the router by testing it from your PC using an FTP client.
Seven, HTTP
The test method can use a Web browser to try to access the router. You can also test from the command prompt at the router by using the following command: Router#telnet 192.168.1.254 80router#telnet 192.168.1.254 443
To turn off the above two services and verify, perform the following steps: Router (config) #no ip http serverrouter (config) #no IP http secure-serverrouter#telnet 192.168.1.254 80router#telnet 192.168.1.254 443
Cisco Security Device Manager (MANAGER,SDM) accesses the router with HTTP and cannot shut down the HTTP service if it is to use SDM to manage the router.
If you choose to manage with HTTP, you should use the IP http access-class command to restrict access to the IP address. In addition, you should configure authentication with the IP HTTP Authentication command. For interactive logins, the best choice for HTTP authentication is to use a TACACS + or RADIUS server, which avoids using the Enable password as an HTTP password.
Eight, SNMP
SNMP can be used to remotely monitor and manage Cisco devices. However, there are many security issues with SNMP, especially in SNMP V1 and v2. To turn off the SNMP service, you need to complete the following three things:
* Remove the default community string from the router configuration;
* Turn off SNMP traps and system shutdown features;
* Turn off the SNMP service.
To see if the SNMP command is configured, execute the show running-config command.
The following shows the configuration used to completely turn off SNMP: Router (config) #no snmp-server Community public rorouter (config) #no Snmp-server Community Private Rwrouter (config) #no snmp-server enable Trapsrouter (config) #no snmp-server system-shutdownrouter (config) #no Snmp-server trap-authrouter (config) #no snmp-server
The first two commands delete read-only and read-write community strings (community strings may be different). The next three commands turn off SNMP traps, system shutdowns, and authentication traps through SNMP. Finally, turn off the SNMP service on the router. After you turn off the SNMP service, use the show SNMP command to verify
Nine, Domain name resolution
By default, the Cisco router DNS service sends a name query to the 255.255.255.255 broadcast address. You should avoid using this broadcast address because an attacker could take the opportunity to disguise itself as a DNS server.
If the router uses DNS to resolve the name, a similar command is seen in the configuration: Router (config) #hostname santarouter (config) #ip domain-name claus.govrouter (config) # IP name-server 200.1.1.1 202.1.1.1Router (config) #ip domain-lookup
You can use the show hosts command to view the names that have been resolved.
Because DNS does not have inherent security mechanisms that are susceptible to session attacks, hackers send a bogus reply before the destination DNS server responds. If the router gets two replies, the second reply is usually ignored.
To resolve this issue, either make sure that the router has a secure path to the DNS server, or do not use DNS, and use manual parsing. With manual resolution, you can turn off DNS, and then use the IP Host command to statically define the host name. If you want to prevent the router from generating DNS queries, either configure a specific DNS server (IP name-server), or use these queries as local broadcasts (when the DNS server is not configured), using the following configuration: router# Telnetwww.quizware.com80 (test) Router (config) #no IP domain-lookuprouter#telnetwww.cisco.com80
Ten, BootP
BOOTP is a UDP service that can be used to specify address information for a diskless workstation and, in many other cases, to load the operating system on the device (using it to access another iOS copy on a router running a BOOTP service, to download iOS to the BOOTP client router).
The protocol sends a local broadcast to UDP port 67 (same as DHCP). To implement this application, you must configure a BOOTP server to specify the IP address information and any requested files.
The Cisco router can act as a BOOTP server, providing the requested device with the files in the Flash, because the following 3 reasons should be in the router flash shutdown bootp:* no longer have the real need to use BOOTP; *BOOTP does not have an inherent authentication mechanism. Anyone can request files from the router, regardless of what is configured, the router will respond; * Vulnerable to Dos attacks.
By default, the service is enabled. To turn off BOOTP, use the following configuration: Router (config) #no IP BOOTP Server
Xi. DHCP
DHCP allows all IP address information to be obtained from the server, including IP address, subnet mask, domain name, DNS server address, WINS server address, TFTP server address, and other information. Cisco routers can act as both DHCP clients and servers.
When a Cisco router is used as a border router, the only case where the router should be set up as a DHCP client is if it is connected to the ISP through a DSL and cable modem, and the ISP uses DHCP to specify the address information. Otherwise, you must never set the router as a DHCP client.
Similarly, the only scenario where a router should be set up for a DHCP server is when a router is used in a Soho environment, where basically the router is the only device that can give the PC a specific address. If you do this, make sure that UDP port 67 is filtered on the router's external interface, which blocks DHCP and BOOTP requests from the outside.
The general DHCP server is open by default. Use the following configuration to close: Router (config) #no service DHCP This prevents the router from becoming a DHCP server or relay Agent
12. PAD
Packet combination/spin-off (packet assembler/disassembler,pad) is used on X. Network. To provide a reliable connection between remote sites.
Pad can provide a useful function for hackers. Suppose a hacker can gain control of a device that is directly connected to a router, and if the router is running the pad service, it will accept any pad connection.
To close this service, use the following command: Router (config) #no service pad
13. Configure Automatic loading
When the Cisco router starts, it will undergo several test phases, discover Cisco IOS and configuration files, before the CLI prompt appears. When the router starts, it usually passes through the following 5 steps: * Load and execute post, Discover ROM, test hardware components such as flash memory and interface; * Load and execute bootstrap bootloader; * Boot bootloader discovers and loads Cisco IOS image files. These image files can be from flash, TFTP server or flash; * After Cisco IOS is loaded, a profile is found and executed: The configuration file is stored in NVRAM, but if the NVRAM is empty, the System configuration dialog starts, or the router uses TFTP to obtain a configuration file; To the user CLI exec prompt.
When a Cisco IOS file is found, it is assumed that there is no boot system command in NVRAM, and the router first looks for a valid Cisco IOS image file in Flash memory. If there is no iOS image file in the Flash, the router performs a TFTP boot, or the network boots, and sends a local broadcast request to obtain the operating system files from the TFTP server. If this process also fails, the router loads the iOS image file from memory.
Because TFTP is used during startup, there is no security for the loading process. Therefore, the router should not be allowed to use this feature. To block this feature, use the following configuration: www.2cto.com
Router (config) #no boot network remote-url-ftp:
[[[//[USERNAME:[:PASSWORD]@]LOCATION]/DIRECTORY]/FILENAME]-RCP:
[[[//[[email Protected]]/location]/directory]/filename]-tftp:
[[[//location]/directory]/filename
After the iOS image is loaded, a configuration file is started to be discovered. If there is no configuration file in NVRAM, the router uses the System Configuration dialog box to establish the configuration file, or use the network configuration option: Use TFTP broadcast to discover the configuration file. Therefore, the following command should be used to turn off the feature: Router (config) #no Service config
14, close no based on ARP
Most Cisco routers (by default) send out unfounded ARP messages, regardless of when the client connects and negotiates an IP address based on the PPP connection. This ARP message is the main use of ARP poison attacks.
Even if the client receives an address from a local address pool, the Cisco router generates an unfounded ARP transfer.
Disable no ARP delivery, use the following command: Router (config) #no IP gratuitous-arps 15, turn off IP classless routing service
Routers may receive packets destined for a subnet that does not have a network default route, and if IP classless service is enabled, these packets are forwarded to the most likely route of the network.
To turn off IP classless routing, use the no IP classless command in global configuration mode
Cisco shuts down some infrequently used services